The organization:
a. Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
b. Reviews and updates the CONOPS [Assignment: organization-defined frequency].